Sorry to those of you still shell-shocked from the 2.0 (ipfwadm) to
2.2 (ipchains) transition. There's good and bad news.

Firstly, you can simply use ipchains and ipfwadm as before. To do
this, you need to insmod the `ipchains.o' or `ipfwadm.o' kernel
modules found in the latest netfilter distribution. These are
mutually exclusive (you have been warned), and should not be combined
with any other netfilter modules.

Once one of these modules is installed, you can use ipchains and
ipfwadm as normal, with the following differences:

Setting the masquerading timeouts with ipchains -M -S, or
ipfwadm -M -s does nothing. Since the timeouts are longer for
the new NAT infrastructure, this should not matter.

The init_seq, delta and previous_delta fields in the verbose
masquerade listing are always zero.

Zeroing and listing the counters at the same time `-Z -L' does
not work any more: the counters will not be zeroed.

The backward compatibility layer doesn't scale very well for
large numbers of connections: don't use it for your corporate
gateway!

Hackers may also notice:

You can now bind to ports 61000-65095 even if you're
masquerading. The masquerading code used to assume anything
in this range was fair game, so programs couldn't use it.

The (undocumented) `getsockname' hack, which transparent proxy
programs could use to find out the real destinations of
connections no longer works.

The (undocumented) bind-to-foreign-address hack is also not
implemented; this was used to complete the illusion of
transparent proxying.

This is what most people want. If you have a dynamically allocated
IP PPP dialup (if you don't know, this is you), you simply want to
tell your box that all packets coming from your internal network
should be made to look like they are coming from the PPP dialup box.

This is a much more niche user base, so I didn't worry about
backward compatibility as much. You can simply use `iptables -t nat'
to do port forwarding. So for example, in Linux 2.2 you might have
done: